Attackers are exploiting a bug to install malware on vulnerable PCs.

Hackers are exploiting a previously unknown vulnerability in Microsoft Windows and Office software that allows computers to be infected with malware, the company warned in advisories published Tuesday.

The advanced exploit arrives in a booby-trapped Word document attached to e-mails, Elia Florio of the Microsoft Security Response Center wrote on Tuesday. The attacks are narrowly targeted at certain individuals or companies and are mostly found in the Middle East and South Asia. The malicious document exploits a vulnerability in Microsoft's graphics device interface that makes it possible for attackers to remotely execute any code of their choice.

"If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document," Dustin Childs, group manager in the Microsoft Trustworthy Computing group wrote in a separate advisory. "An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user." A third advisory is here.

Microsoft has issued a temporary fix that people can install and use until a permanent patch is available. While it doesn't repair the root cause of the vulnerability, the temporary measure blocks rendering of the graphic format that triggers the bug. Other temporary measures available to Windows and Office users are modifying the Windows registry to prevent TIFF image files from being displayed or installing version 4.0 of EMET, short for the Enhanced Mitigation Experience Toolkit.

The vulnerability affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. The way Office 2010 renders graphics makes it vulnerable only when running on older platforms such as Windows XP or Windows Server 2003. Office 2010 isn't affected when running on version 7, 8, and 8.1 of Windows.

Florio said the exploit payload uses advanced techniques to bypass protections that Microsoft engineers added to later versions of Windows to make them more resistant to code-execution attacks.

"In order to achieve code execution, the exploit combines multiple techniques to bypass DEP and ASLR protections," Florio wrote, referring to the data execution prevention and address space layout randomization exploit mitigations. "Specifically, the exploit code performs a large memory heap-spray using ActiveX controls (instead of the usual scripting) and uses hardcoded ROP gadgets to allocate executable pages. This also means the exploit will fail on machines hardened to block ActiveX controls embedded in Office documents (e.g. Protected View mode used by Office 2010) or on computers equipped with a different version of the module used to build the static ROP gadgets."

ROP refers to return oriented programming, a technique that helps bypass DEP by arranging code already found in the application in a way that allows it to become malicious. Once Windows, Office, or Lync programs process the maliciously designed TIFF files, system memory is corrupted in a way that allows the attacker to execute arbitrary code. Microsoft credited Haifei Li of McAfee Labs' IPS Team for reporting the graphics vulnerability.

Haifei Li said the exploit technique is novel.

"It is worth to note that this heap-spraying in Office via ActiveX objects is a new exploitation trick which we didn’t see before," Li wrote in a separate blog post. "Previously attackers usually chose Flash Player to spray memory in Office. We would believe the new trick was developed under the background that Adobe introduced a click-to-play feature in Flash Player months ago, which basically killed the old one. This is another proof that attacking technique always tries to evolve when old ones don’t work anymore."

The good news out of these advisories is that the attacks observed so far are extremely targeted, as opposed to the kinds of drive-by exploits that occasionally flare up on compromised websites. Also encouraging is that only a small portion of the Microsoft ecosystem is susceptible. That said, it's possible the attacks are more widespread than reported since it's not uncommon for initial advisories to miss some activity. Readers who use software listed as potentially vulnerable would do well to install the temporary fix and to stay apprised of the latest developments in this attack.

Promoted Comments

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will be infected.

It's really up to the AV/Security vendors to pick up the slack. Personally I think switching to W7 is a mistake at this point. You are probably better off with Windows 8, and running your old XP based applications in the safety of a VM under the new HyperV. From what I've seen it's not a deliberate choice, a lot of XP business users are stuck with some application that they can't upgrade.

It may be time to rethink the MS Total Cost of Ownership argument -- especially for newer businesses.

While there's certainly a "cost" to purchasing software and hardware, the cost of menacing 0-day malware infestation and botnets is certainly harder to calculate. It's possible to run Office on Mac and even have a virtualized machine to run legacy ActiveX scripts within a very controlled environment -- as ActiveX becomes legacy even for Internet Explorer, this may be the "default option" even for MS shops not wanting to run unpatchable version of IE.

Educating users against the risk is neigh impossible and AV solutions tend to mitigate but not solve the problem.

With Windows now a minority platform among "computing devices" (devices that have more computing power than your average WinXP machine) and videos of toddlers using iPads before reading, the "re-eduction" argument is becoming moot. Your "average user" has an iPhone or Android already -- and loves it.

A Mac Office or Google Docs environment may well be "easier to use" for your average user than the reviled Windows 8 -- which has its own learning curve. Silicon Valley has already switched. Everyone else will soon follow -- whatever "soon" means your business segment.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will have some degree of infestation.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will be infected.

It's really up to the AV/Security vendors to pick up the slack. Personally I think switching to W7 is a mistake at this point. You are probably better off with Windows 8, and running your old XP based applications in the safety of a VM under the new HyperV. From what I've seen it's not a deliberate choice, a lot of XP business users are stuck with some application that they can't upgrade.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will be infected.

It's really up to the AV/Security vendors to pick up the slack. Personally I think switching to W7 is a mistake at this point. You are probably better off with Windows 8, and running your old XP based applications in the safety of a VM under the new HyperV. From what I've seen it's not a deliberate choice, a lot of XP business users are stuck with some application that they can't upgrade.

Oh, it is a deliberate choice alright. It may cost a lot of money to replace or rewrite some applications - especially custom written, in-house apps - but the decision not to spend the time or money is consciously made.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will be infected.

It's really up to the AV/Security vendors to pick up the slack. Personally I think switching to W7 is a mistake at this point. You are probably better off with Windows 8, and running your old XP based applications in the safety of a VM under the new HyperV. From what I've seen it's not a deliberate choice, a lot of XP business users are stuck with some application that they can't upgrade.

An affiliate organization we support just recently started an upgrade process that updated, migrated, and virtualized their AS400 to get it off the decrepit mid-90s hardware. Previously, they were stuck on a PC5250 Emulation client so old it would only run on 32-bit XP. Thankfully, that was the last legacy XP application we supported. Now, with the virtualized, updated AS400, they are now working towards a modern, web-based application, and we're pushing our sole remaining affiliate to upgrade their 10 or so XP workstations before April (under threat of kicking said PCs off the network).

XP was nice while it lasted, but it's been high time to ditch it for the last 3 or 4 years. And, unless you have a touchscreen, there's not much incentive to push our staff to 8 or 8.1 yet. We'll probably just wait for Windows 9 or whatever it's called.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will be infected.

It's really up to the AV/Security vendors to pick up the slack. Personally I think switching to W7 is a mistake at this point. You are probably better off with Windows 8, and running your old XP based applications in the safety of a VM under the new HyperV. From what I've seen it's not a deliberate choice, a lot of XP business users are stuck with some application that they can't upgrade.

Well, the case can be made for Windows 7, especially for small business.

Nothing at all wrong with Windows 8 that some training doesn't fix (actually a fan of it), but Windows 7 Professional (most likely for a business) does have a unique feature in Windows XP Mode. Windows XP Mode gives you a virtualized Windows XP desktop license at no cost. Each user can have their own Windows XP environment as needed, and it even takes special steps to hide XP and just run the application as if it was running on windows 7 natively (other than file system and hardware differences).

So for a small/medium sized business, that has a need to run XP for legacy software, Windows 7 is more economical. XP mode is not available for Windows 8, even pro versions.

XP was nice while it lasted, but it's been high time to ditch it for the last 3 or 4 years. And, unless you have a touchscreen, there's not much incentive to push our staff to 8 or 8.1 yet. We'll probably just wait for Windows 9 or whatever it's called.

At the risk of rehashing the same argument over and over and over again, Win8 works fine without touch. Just like using Win7.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will have some degree of infestation.

[Edit: grammar]

MS is in a catch-22. On the one hand they need folks to upgrade for better security (and to get more revenue from the OS sales.)

But, on the other hand, a lot of businesses are tired of the upgrade treadmill, and tired of getting stuck with legacy apps coded for an old OS.

So, some companies are ditching OS-specific apps, and focusing on agnostic web-apps now. If more and more companies untie their apps from a specific OS, then it means MS has less grip on entrenched customers.

They sort of shot themselves in the foot here, too, by rolling out some so-so OS versions, and then just ramping up the upgrade cycle to every 2 years.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will have some degree of infestation.

[Edit: grammar]

MS is in a catch-22. On the one hand they need folks to upgrade for better security (and to get more revenue from the OS sales.)

But, on the other hand, a lot of businesses are tired of the upgrade treadmill, and tired of getting stuck with legacy apps coded for an old OS.

So, some companies are ditching OS-specific apps, and focusing on agnostic web-apps now. If more and more companies untie their apps from a specific OS, then it means MS has less grip on entrenched customers.

They sort of shot themselves in the foot here, too, by rolling out some so-so OS versions, and then just ramping up the upgrade cycle to every 2 years.

Has there been any major os changes in 7 & 8 that would break many Vista applications in a way that wouldn't be trivial to fix?

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will be infected.

It's really up to the AV/Security vendors to pick up the slack. Personally I think switching to W7 is a mistake at this point. You are probably better off with Windows 8, and running your old XP based applications in the safety of a VM under the new HyperV. From what I've seen it's not a deliberate choice, a lot of XP business users are stuck with some application that they can't upgrade.

Oh, it is a deliberate choice alright. It may cost a lot of money to replace or rewrite some applications - especially custom written, in-house apps - but the decision not to spend the time or money is consciously made.

I agree. Recently worked a job where the management did NOT want to upgrade an application to dotNet while originally written in VB5, later upgraded to VB6 (Windows 95). They were adding new functionality to it!. The problem was one of the worst examples of improper user data entry validation I've ever seen. If the user failed to enter correct data, the application just crashed. Users were expected to know to clear the error message box and start the application all over again. Sometimes the previous instance wouldn't clear from RAM and would still be running. Run time errors would often overwrite program settings. It sort of ran in Win7/8 in a primitive sandbox. Components used were from the original runtimes. "User experience" disaster regularly re-occurring.

But, on the other hand, a lot of businesses are tired of the upgrade treadmill, and tired of getting stuck with legacy apps coded for an old OS.

So, some companies are ditching OS-specific apps, and focusing on agnostic web-apps now. If more and more companies untie their apps from a specific OS, then it means MS has less grip on entrenched customers.

They sort of shot themselves in the foot here, too, by rolling out some so-so OS versions, and then just ramping up the upgrade cycle to every 2 years.

And when your webapps need integration into a new system?

There's always going to be an "upgrade treadmill". There's always going to be sustaining engineering costs to factor in for.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will have some degree of infestation.

[Edit: grammar]

MS is in a catch-22. On the one hand they need folks to upgrade for better security (and to get more revenue from the OS sales.)

But, on the other hand, a lot of businesses are tired of the upgrade treadmill, and tired of getting stuck with legacy apps coded for an old OS.

So, some companies are ditching OS-specific apps, and focusing on agnostic web-apps now. If more and more companies untie their apps from a specific OS, then it means MS has less grip on entrenched customers.

They sort of shot themselves in the foot here, too, by rolling out some so-so OS versions, and then just ramping up the upgrade cycle to every 2 years.

Has there been any major os changes in 7 & 8 that would break many Vista applications in a way that wouldn't be trivial to fix?

[Edited for grammar gremlins]

<opinion>security status of the User got a big workover in Win7 and again in Windows 8. Anything that requires user privileges, especially non-standard ones allowed the base users. Anything using One-Click install. </opinion>

XP was nice while it lasted, but it's been high time to ditch it for the last 3 or 4 years. And, unless you have a touchscreen, there's not much incentive to push our staff to 8 or 8.1 yet. We'll probably just wait for Windows 9 or whatever it's called.

At the risk of rehashing the same argument over and over and over again, Win8 works fine without touch. Just like using Win7.

Whatever. I'll still wait for the next one and stick with 7 until the wheels fall off. By then touchscreens will be ubiquitous (or desktops and laptops will be endangered relics), and this whole argument will be moot.

EDIT: It should be noted we upgraded to Win7 last year. No sense in two active OSes (XP is considered phase-out). Besides, I can count 5 people at my work who've even seen anything resembling Windows 8 (myself included) let alone used it, and 2 are WP8 users.

Nothing at all wrong with Windows 8 that some training doesn't fix (actually a fan of it), but Windows 7 Professional (most likely for a business) does have a unique feature in Windows XP Mode. Windows XP Mode gives you a virtualized Windows XP desktop license at no cost. Each user can have their own Windows XP environment as needed, and it even takes special steps to hide XP and just run the application as if it was running on windows 7 natively (other than file system and hardware differences).

Unfortunately, "Windows XP Mode follows the same support lifecycle as Windows XP—extended support will end April 8, 2014." http://windows.microsoft.com/en-US/wind ... -windows-7 Maybe it'll still be possible to install it-- I'm not sure-- but it will present some of the same issues.

(Hopefully contained within the virtual environment at least; I don't know how hard it is to use a VM to inject an exploit into the primary OS, or if that's even possible.)

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will be infected.

It's really up to the AV/Security vendors to pick up the slack. Personally I think switching to W7 is a mistake at this point. You are probably better off with Windows 8, and running your old XP based applications in the safety of a VM under the new HyperV. From what I've seen it's not a deliberate choice, a lot of XP business users are stuck with some application that they can't upgrade.

No, absolutely not! A/V tools can do nothing against a big number of attacks, like (non-exhaustive list) ones targeting network stack, or USB drivers etc or other low-level software out of reach for the A/V. And having your Windows XP in a VM will do nothing to protect all the company's critical files on network, which the Windows XP VM has access to! It would only protect the host computer running another system but in an enterprise, losing the computers is the least worry - it's the data that's the real thing, and that data is normally on the network. By the way, this also means Windows XP Mode on Win 7 will not help for security, or so little.

Regarding Windows 8, have you ever used that OS with mouse and keyboard? Despite the Windows 8.1 improvements it's still a very, very awkward experience with lots of incoherencies causing users to have to switch multiple times between Metro and Desktop settings app just to administrate things as simple as network or users&groups. No reasonable company with any ambition to get even the slightest bit of productivity out of its employees would deploy Windows 8 on them! I do agree however that under the hood security changes from Windows 8 / 8.1 make it an upgrade over Windows 7, which itself is not bad and worlds above Windows XP (regarding security).

It may be time to rethink the MS Total Cost of Ownership argument -- especially for newer businesses.

While there's certainly a "cost" to purchasing software and hardware, the cost of menacing 0-day malware infestation and botnets is certainly harder to calculate. It's possible to run Office on Mac and even have a virtualized machine to run legacy ActiveX scripts within a very controlled environment -- as ActiveX becomes legacy even for Internet Explorer, this may be the "default option" even for MS shops not wanting to run unpatchable version of IE.

Educating users against the risk is neigh impossible and AV solutions tend to mitigate but not solve the problem.

With Windows now a minority platform among "computing devices" (devices that have more computing power than your average WinXP machine) and videos of toddlers using iPads before reading, the "re-eduction" argument is becoming moot. Your "average user" has an iPhone or Android already -- and loves it.

A Mac Office or Google Docs environment may well be "easier to use" for your average user than the reviled Windows 8 -- which has its own learning curve. Silicon Valley has already switched. Everyone else will soon follow -- whatever "soon" means your business segment.

Regarding Windows 8, have you ever used that OS with mouse and keyboard?

Yes, on my desktop, laptop, and HTPC. I don't own a touch device so mouse (or trackpad) and keyboard are the only way I've ever used Win8.

Quote:

Despite the Windows 8.1 improvements it's still a very, very awkward experience with lots of incoherencies causing users to have to switch multiple times between Metro and Desktop settings app just to administrate things as simple as network or users&groups.

Bullshit. Just do it all on the desktop, that's what I do. Don't use the metro settings at all. The only inconsistencies are in your head.

Regarding Windows 8, have you ever used that OS with mouse and keyboard? Despite the Windows 8.1 improvements it's still a very, very awkward experience with lots of incoherencies causing users to have to switch multiple times between Metro and Desktop settings app just to administrate things as simple as network or users&groups. No reasonable company with any ambition to get even the slightest bit of productivity out of its employees would deploy Windows 8 on them! I do agree however that under the hood security changes from Windows 8 / 8.1 make it an upgrade over Windows 7, which itself is not bad and worlds above Windows XP (regarding security).

It's perfectly navigable with mouse and keyboard, if you don't like Metro just stay out of it. It's otherwise the same as 7 in your daily workflow.

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will be infected.

It's really up to the AV/Security vendors to pick up the slack. Personally I think switching to W7 is a mistake at this point. You are probably better off with Windows 8, and running your old XP based applications in the safety of a VM under the new HyperV. From what I've seen it's not a deliberate choice, a lot of XP business users are stuck with some application that they can't upgrade.

No major corporation is going to Windows 8 anytime soon. No flipping way.

The permanent fix is called Linux and Libreoffice, i suggest Xubuntu or SolydX for a classic and reliable desktop experience.

Once you take this final step, you can say goodbye to malware, cracks, driver hunting, product activation and expiration, serial numbers, license fees and many other annoyances Microsoft has never fixed in decades, and never will.

Besides, what future can they possibly have, without Ballmer and Gates? Break your chains today...

I'd imagine that most businesses will upgrade to W7, willingly or reluctantly. However, the majority of non-business users will probably stick with XP out of laziness, ignorance or indifference. If so, it's very likely that by the end of 2014 all XP computers connected to the internet will have some degree of infestation.

[Edit: grammar]

I'll bet money the biggest offender of XP Holdout is the US government. I was on a Jury that had to look at video camera footage saved in .avi, and they whipped out their Windows 2000 box (Pentium 2 300MHz, 128MB ram), and tried to play the files.

Also, while I would love to have none of my machines on XP, I have5 machines at home. I've upgraded 3 of them (1 Vista and 2 Win 7s), but I spent $500 on XP for those machines, another $230 to upgrade what I have, but the XP machines still run everything I throw at them great, and since they're machines for my kids, aren't justified with spending another $300. My Vista machine is an HTPC, so I'd have to get Win8 Pro ($120) + media Center ($10) -or- Win 8 ($100) + Upgrade to Pro+MC ($100), for a machine that runs just fine now...

The permanent fix is called Linux and Libreoffice, i suggest Xubuntu or SolydX for a classic and reliable desktop experience.

Nah, been there, done that. LibreOffice is great if you miss that 90's retro UI feel, and desire all the stability of the Windows 95a era.

Quote:

Once you take this final step, you can say goodbye to malware, cracks, driver hunting, product activation and expiration, serial numbers, license fees

...productivity, compatibility, efficiency, expediency....

And heh, "driver hunting"? That's adorable. It's was a pretty obvious troll anyway, but you slipped up there. Nobody, not even RMS, ESR, or Linus himself would say drivers are harder to find for Windows than they are for linux. And in Windows you have the bonus of not having to re-compile your drivers after a simple security patch!

Quote:

Besides, what future can they possibly have, without Ballmer and Gates? Break your chains today...

I mean, no matter what you think of Windows (8 on down...), moving to Linux is not a "solution" to needing to get corporate systems validated and updated for security and functionality. You're still going to have to run things by your sysadmins and developers.

I mean, no matter what you think of Windows (8 on down...), moving to Linux is not a "solution" to needing to get corporate systems validated and updated for security and functionality. You're still going to have to run things by your sysadmins and developers.

Personally, I don't think linux is a solution to anything (my home server is FreeBSD).

Windows 8 works exactly like Windows 7, the start menu/screen just looks different. The desktop looks and works just the same as it's done for years. I just love the attitude that "if you don't like this single change to the start menu/screen UI, then you'll like changing the UI everywhere! You even like changing the end-user software, the underlying system architecture, and how you use a computer in general!" It's SO moronic.

And hypocritical. It not like Ubuntu hasn't changed it's UI. And if something as basic a start screen paralises you with fear, I'd like to see you try converting to or reverting from Unity on an OS you're unfamilar with.

Regarding Windows 8, have you ever used that OS with mouse and keyboard? Despite the Windows 8.1 improvements it's still a very, very awkward experience with lots of incoherencies causing users to have to switch multiple times between Metro and Desktop settings app just to administrate things as simple as network or users&groups. No reasonable company with any ambition to get even the slightest bit of productivity out of its employees would deploy Windows 8 on them! I do agree however that under the hood security changes from Windows 8 / 8.1 make it an upgrade over Windows 7, which itself is not bad and worlds above Windows XP (regarding security).

Yes i've used windows 8 with both mouse and keyboard, and via touch.

Its crap via mouse and keyboard, but less annoying than via touch. The metro part isn't too bad in touch, but there's very little i use that is metro.

It may be time to rethink the MS Total Cost of Ownership argument -- especially for newer businesses.

While there's certainly a "cost" to purchasing software and hardware, the cost of menacing 0-day malware infestation and botnets is certainly harder to calculate. It's possible to run Office on Mac and even have a virtualized machine to run legacy ActiveX scripts within a very controlled environment -- as ActiveX becomes legacy even for Internet Explorer, this may be the "default option" even for MS shops not wanting to run unpatchable version of IE.

Educating users against the risk is neigh impossible and AV solutions tend to mitigate but not solve the problem.

With Windows now a minority platform among "computing devices" (devices that have more computing power than your average WinXP machine) and videos of toddlers using iPads before reading, the "re-eduction" argument is becoming moot. Your "average user" has an iPhone or Android already -- and loves it.

A Mac Office or Google Docs environment may well be "easier to use" for your average user than the reviled Windows 8 -- which has its own learning curve. Silicon Valley has already switched. Everyone else will soon follow -- whatever "soon" means your business segment.

Your argument that the change is inevitable is based on the extremely poor assumption that the "hard to calculate" existing costs of using MS are significantly higher than the "hard to calculate" new costs of transitioning to and using some other system. When you consider the potential IT costs required just to transition business, industry, and company/custom software that seems unlikely. Then you have to add lost productivity costs, training costs, opportunity costs, and new hardware costs (if going to Mac) on top of that (and that's just off the top of my head).

Very few existing businesses are going to invest that kind of money on a major transition based on your gut-feel (right or wrong), and because the costs are "hard to calculate" it will be that much harder for you to show how that huge investment will produce any of the real world savings that would be required to justify it.

In short for a business, the devil you know is better than the devil you don't...